RE: [registrars] WG: [council] Fast Flux DNS

["John Berryhill" <john@xxxxxxxxxxxxxxxxx>]

>The Anti-Phishing Working Group has been trying for years 
>to get registrars to conform to their best practice approach.  

Did you actually *read* the last report?

I sure did.  If recent comments about the AGP are any indication, there are
a whole lot of people who didn't.

While we were sitting in the room in Delhi, and Paul Stahura was explaining
how the AGP can be used to run fraud profile tests and delete names that
meet fraud profiles, I was actually reading the APWG recommendation that
registrars do precisely that.

Now, over in the BCISPIP cross-constituency meeting, they were discussing
how use of the AGP for DOING just what the APWG was recommending, was a
"phony excuse" for keeping the AGP.

Sorry, but I call shenanigans here.

Let's have a rational explanation as to why elements of the GNSO are
hell-bent on ELIMINATING use of one of the mechanisms recommended by the
Anti-Phishing working group.

Is there a "ten words or less" explanation that anyone has, as to WHY the
BCISPIP folks DON'T want registrars to be able to implement the fraud
profile and domain deletion recommendations of the most recent APWG report.

Because if there isn't, this is the wrong place to come crying about just
who is not interested in implementing the APWG recommendations.

> As many of you may know, there is an anti-phishing bill introduced by 
> Senator Snowe in the U.S. senate that, if enacted as currently written, 
> would impose requirements on registrars.  

And the provisions of that bill relating to Fast Flux DNS are where,
exactly?  The argument that an ineffective solution from the GNSO will
forestall an ineffective solution from elsewhere is simply posturing.

I am convinced that too few people are capable of reading and understanding
either the SSAC or APWG reports.

The issue is not "changing name servers" rapidly.  The issue is changing IP
resource records and DNS records *IN* the nameservers rapidly. It is a DNS
and hosting issue, NOT a domain name registration issue.

Where this whole discussion goes into stupid overdrive is that if you want
to put a choke on nameserver changes, then the choke point is at the
REGISTRY.  If you believe that this issue relates to how quickly the
designated nameservers are changed, then you simply roll back to what we had
a few years ago when you had to wait a few hours for batch updates to the
.com (or other TLD) zone file.

I don't know if you know how any of this stuff works, but it is the data in
the TLD zone file that identifies the IP addresses of the name servers in
which DNS records can be found.

REGISTRARS DON'T RUN THE ZONE SERVERS.  Let those six words sink in for a
few moments.  Anyone who does not understand the implications of those six
words to this issue is simply not qualified to participate.

Catering to a group of lawyers who don't know how the internet works doesn't
make sense.  People can have wonderful and interesting opinions about lots
of things.  But if they want to participate in technical coordinating tasks
relevant to a global computer network, then having a clue how that network
actually works would be a great idea.

So, let's re-cap the agenda:

1.  The APWG wants registrars to be able to delete domain names rapidly soon
after registration if fraud is detected.  Much of the GNSO would like to
eliminate that capability.

2.  There is a security issue arising, in part, from too many changes being
permitted to records in the TLD zone files maintained by the REGISTRIES.
Solving this problem is the responsibility of the REGISTRARS.

3.  Agreeing to an irrelevant and ineffective ICANN GNSO proposal will
prevent the US Government from doing silly things.

Hey, here's a "best practice" - how about if the Telco's and ISP's quit
shipping everyone's phone and internet traffic to the US Government without
a warrant (even a retroactive warrant).  Boy, it's a good thing we don't
have outfits like that proposing ICANN policy.

Oh, wait a minute.  We do!

We obviously need better lobbyists.  ICANN participants in the other
constituencies can get their very own law that permits them to engage in
criminal activity with immunity, but we have to pretend to be solving a
problem by agreeing to a solution that won't solve the problem, or we'll be
in big trouble.